|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVEs for FinTech
- To: Scott Lawler <scott.lawler@lp3.com>
- Subject: Re: CVEs for FinTech
- From: jericho <jericho@attrition.org>
- Date: Sun, 1 May 2016 10:58:06 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Mon May 2 07:46:43 2016
- Importance: high
- In-reply-to: <6983DD09-2547-4943-A6F6-E4B49B792ADB@lp3.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty2s0dfKNTvg-cwes-BsWNdwDvXW9ZvrXd7iX-u88LWooA@mail.gmail.com> <6983DD09-2547-4943-A6F6-E4B49B792ADB@lp3.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Sun, 1 May 2016, Scott Lawler wrote: : Something to think about is whether or not CVE should be tracking vuls : is systems-of-systems (like SWIFT) or do we stay at the lower level of : operating systems, application software, etc. : : There are thousands of larger systems made up of an infinite set of : vulnerable sub components--with common vuls. Vulns should be assigned base on 'where the flaw is'. If that is in a third-party component, that should be tracked ideally. Failing to have that information, we can only assign for the larger software package that bundles the rest. I've found it is helpful when approaching companies to explain the benefit of them 'blaming the third-party code' so to speak, that in the long run, vulnerability stats don't reflect as poorly on them. A bit of motivation for them to come clean, at least enough to confirm the issue isn't in their code. I also had an offlist discussion with Kurt on this last night, and so far the articles available do not positively show there is a vuln in SWIFT. Rather, the articles talk about the attackers obtaining legitimate credentials to the system, where they had access to manipulate the SWIFT software (e.g. phishing -> malware). If so, that wouldn't warrant a CVE ID.
- References:
- Re: CVEs for FinTech
- From: Scott Lawler <scott.lawler@lp3.com>
- Re: CVEs for FinTech
- Prev by Date: Re: CVEs for FinTech
- Next by Date: Re: CVEs for FinTech
- Previous by thread: Re: CVEs for FinTech
- Next by thread: Re: CVEs for FinTech
- Index(es):